Infamous 'Regin' malware linked to Snowden's NSA files

​Researchers say that a powerful computer program that was discovered last year and is linked to campaigns of espionage waged against global targets is strikingly similar to a piece of malware used by the National Security Agency and its Five Eyes allies.

Earlier this month, journalists at Der Spiegel published the
source code for a computer program called 'QWERTY' –
“a piece of software designed to surreptitiously intercept
all keyboard keys pressed by the victim and record them for later
inspection,” and said that they hoped the disclosure would
“foster further research and enable the creation of
appropriate defenses.”

The QWERTY program, according to documents provided to Der
Spiegel by former NSA contractor Edward Snowden, is included in
an arsenal of malware products used by the National Security
Agency and its intelligence gathering allies, colloquially called
the Five Eyes. That suite of tools, the German paper said, is
used by the US, Australia, Canada, New Zealand and the United
Kingdom in order to eavesdrop on targets and conduct other sorts
of destructive cyber ops.

According to researchers at Kaspersky Labs who have reviewed
QWERTY during the last 10 days, the keylogger’s source code can
be linked to 'Regin,' another spy tool that raised eyebrows when
it was discovered in late 2014 and alleged to have been used
against targets in Algeria, Afghanistan, Belgium, Brazil, Fiji,
Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan,
Russia and Syria, among others.

“Considering the extreme complexity of the Regin platform and
little chance that it can be duplicated by somebody without
having access to its sourcecodes, we conclude the QWERTY malware
developers and the Regin developers are the same or working
together,” Costin Raiu and Igor Soumenkov, researchers at
Kaspersky’s Securelist blog, said on Tuesday.

When details about Regin emerged last November, The Intercept — the online news site founded
by Snowden collaborator Glenn Greenwald — said the spyware
originated as far back as 2003 and had been deployed against
European Union computers and the networks of Belgacom, Belgium’s
leading telecommunications company. Researchers with Symantec
called it “highly suited for persistent,
long term surveillance operations,” and said it had been
included in efforts waged against private companies, government
entities, and research institutes in Saudi Arabia, Mexico and
Ireland.

Less than a month after those initials reports on Regin surfaced,
Germany’s Bild newspaper alleged that the spyware had appeared on
a USB drive used in the private computer of the head of Germany’s
Department for European Policy, but had been contained before
spreading further through the nation’s networks.

“Looking at the code closely, we conclude that the 'QWERTY’
malware is identical in functionality” to a plugin used with
Regin, Kaspersky concluded this week.

Although the intelligence agencies of the US and its allies are
often accused of eavesdropping on adversarial nations —
especially in light of the Snowden revelations that have
uncovered, among other operations, spy programs that affect
innocent Americans — the recent QWERTY analysis suggests that a
keylogger specified by the NSA leaker as being an example of a
powerful Five Eyes prying tool is likely affiliated with Regin.
If correct, the researchers may have furthered the case against
the NSA and its intelligence gathering operations, providing more
evidence linking the US spy firm to widespread surveillance
missions.

Upon Tuesday’s reports from Kaspersky, Spiegel published a
follow-up in which the paper re-hashed a
report from 2011—two years before the first Snowden leaks—in
which a Dutch cybersecurity expert attributed the tool used to
hack Belgacom as belonging to either the NSA or its British
counterpart, GCHQ.

According to Spiegel, the Regin tool has also been linked to
hacks which targeted the International Atomic Energy Agency,
based in Austria, as well as the 2011 attack on European
Commission computers and other endeavors.